Is Faulty Code a Risk to National Security?

As you probably know by now, Microsoft convened its Trust Computing 2001 conference in Mountain View, California, on Tuesday, November 6, 2001. According to the Microsoft press release, "The three-day forum here is expected to attract more than 150 leaders from government, business and academic and advocacy groups." In the release, Microsoft director of corporate privacy, Richard Purcell, said that the September 11 attacks on America challenge all conventional thinking about handling privacy and security issues.

Various people are voicing their opinions about the conference. On Sunday, Russ Cooper, owner/operator of the NTBugTraq mailing list, forwarded a message to the list from a group of hackers known as Nomad Mobile Research Centre (NMRC) that spoke out strongly against what it views as impending corporate control over security-risk information. The Nomad group feels that by making such a push, Microsoft is effectively jockeying to eliminate independent freedom to innovate. The message sparked a flurry of debate that brought many interesting comments to the surface. Be sure to stop by the NTBugTraq Web site and read the two threads "Call to arms—Information Anarchy" and "Towards a Responsible Vulnerability Process."

Based on the conversations in those threads, it seems that people generally agree that an immediate change needs to happen in the way people release detailed vulnerability information, but not to the point that it hampers a user's ability to learn about security. Some people are concerned that if corporations withhold and replace detailed security-vulnerability information with a "just-load-the-patch" attitude, there'll be a significant reduction in everyone's independence and ability to learn how to handle network security.

In the Microsoft press release, Purcell points out that, "In many ways, the tensions between privacy and security that formerly existed within the commercial environment have now been brought into the public arena, where the question of how to balance liberty and safety must be debated on the governmental level, because it's now clearly a matter of national security."

Because networking is fundamental to our way of life, we might eventually see laws that require all security professionals to become trained, tested, and certified or even licensed by some overseeing body, probably government. That potential makes sense in light of the terrorism we've experienced recently. Such requirements certainly will help, but are they enough? What about the risks that are known, yet remain unaddressed? What about all the users who still run unpatched versions of Windows, whether current or legacy? We need remedies for those conditions, too, but what are the choices?

While we're busy trying to protect our systems, companies still roll out risky software that users subsequently adopt around the world. For example, Russ Cooper pointed out that on the day that Microsoft released XP, Microsoft also made available a critical system update to address serious XP code problems—many problems that independent, non-Microsoft sanctioned researchers discovered. In another example, Microsoft is pushing for users to adopt its Passport service. Yet someone recently found Passport can expose users' sensitive financial information. You can read about that in Paul Thurrott's article on our Web site, and at the Cnet Web site.

It's obvious that Microsoft hasn't tested thoroughly enough for security problems. Surprised? When combined with the popular Microsoft Hotmail service, your Passport wallet could have become somebody else's "ticket to ride." The person who discovered the problem claims that it took him only 30 minutes to look at the two services (Hotmail and Passport) and find a way to readily exploit unsuspecting users. Nevertheless, at least one online bank, the UK-based Egg, has announced that it will integrate Passport services into its offerings. And as you can probably guess, many customers' response is that if that happens, they'll stop doing business with the Egg bank. Who knows? Maybe Egg customers will realize that most long-standing banks already offer online banking and associated credit or check cards. Given the need to protect national security, does it make any sense to put all your eggs in one basket labeled "Microsoft Passport"? I can only wonder: If terrorists hijack and empty your Passport accounts, who will reimburse you for your loss? Who will offset your financial suffering? Who is accountable? Right now the answer is nobody. You're on your own because software vendors aren't liable for defective products.

Cooper also pointed out that, "...had XP been a car, it would have been recalled, fixed, and shipped anew. No such mechanism exists for Microsoft CDs despite the clearly demonstrated historical proof that most people install the defaults from the original CD and never update it." The same goes for Passport and other .NET services. There's absolutely no vendor accountability or recourse for victims.

I think most people agree that the elimination of full disclosure alone is an attempt to offer security through obscurity. Minimizing full disclosure might be necessary at the present, but it probably won't do much except to strike fear into potential criminals—minimizing full disclosure keeps honest people honest and keeps code-related weapons further out of the reach of terrorists. But it doesn't take a computer scientist to realize that some terrorists and their related sympathizers are more than capable of hacking code base on their own—not all of them have to rely on your disclosure reports.

If we're going to regulate information dissemination and consider laws that require certification or licensing of security-related workers, then that's a good shoe that might fit us well. But, it's only one shoe. The other shoe in the pair must be to institute strict vendor-oversight combined with laws, penalties, and punishment for vendors that fail to produce safe computer products. If we don't make vendors release better code than they currently do, we're actually jeopardizing national security even further. And when we buy those products and install them, we make the problem worse.

Security Administrator is conducting a new poll, which is available on our home page. We'd like to know if you think it's time for the software industry to fall under serious scrutiny for regulatory quality assurance. Security UPDATE has more than 150,000 readers, yet many of you don't express your opinion through our polls. Please take time this week to answer our poll.

If you're a security researcher prone to discovering bugs, I implore you to seriously consider curbing any potential hasty action to release full details of security vulnerabilities you've discovered. Doing so in today's political climate is risky for your own legal welfare, and could possibly place an entire nation in grave danger. I strongly suggest you use ample discretion and work with vendors carefully and expediently to help protect all parties involved against terrorist attacks. Remember: Your simple "zero-day exploit" could easily become a weapon of mass destruction against untold millions of innocent people.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.